The chief security information officer for the Department of Defense acquisition and sustainment has begun to review the integration of Cybersecurity Maturity Model Certification requirements into U.S. Navy, U.S. Air Force and Missile Defense Agency contracts slated to be awarded late next year.
DoD said Tuesday it will use a phased approach to implement CMMC provisions mandating potential contractors to achieve CMMC compliance at the time of award. Contractors must then relay the appropriate CMMC designation to subcontractors to provide them ample time to complete program requirements.
The Pentagon finalized a rule in late November to require offerors for selected procurement efforts to comply with CMMC standards for Level 3 and below starting in fiscal 2021.
Programs that the DoD CISO team are reviewing for pilot implementation include the Navy’s integrated common processor modernization, F/A-18E/F Super Hornet fighter aircraft modification and USS Arleigh Burke guided-missile destroyer yard support.
Air Force pilot programs cover the Mobility Air Force Tactical Data Links, consolidated Broadband Global Area Network follow-on award and the Microsoft (Nasdaq: MSFT) Azure Cloud Solution efforts.
The Missile Defense Agency’s technical advisory and assistance contract will also be piloted for CMMC implementation.
The department collaborates with the U.S. Army and other defense entities to identify additional program candidates for the pilot phase.